Behavioral-based control of access to encrypted content by a process
First Claim
1. A computer program product for securing an endpoint against exposure to unsafe or unknown content, the computer program product comprising computer-executable code embodied in a non-transitory computer readable medium that, when executing on the endpoint performs the steps of:
- encrypting a plurality of files on an endpoint to prevent unauthorized access to the plurality of files;
monitoring an exposure state of a process on the endpoint to potentially unsafe content by applying a plurality of behavioral rules to determine whether the exposure state of the process is either exposed or secure, wherein (1) the process is initially identified as secure, (2) the process is identified as exposed when the process opens a network connection to a Uniform Resource Locator that is not internal to an enterprise network of the endpoint and that has a reputation that is poor, (3) the process is identified as exposed when the process opens a first file that is identified as exposed, and (4) the process is identified as exposed when another exposed process opens a handle to the process; and
restricting access by the process to the plurality of files when the process is exposed by controlling access to the plurality of files through a file system filter that conditionally decrypts one or more of the plurality of files for the process according to the exposure state of the process.
4 Assignments
0 Petitions
Accused Products
Abstract
Securing an endpoint against exposure to unsafe content includes encrypting files to prevent unauthorized access, and monitoring an exposure state of a process to potentially unsafe content by applying behavioral rules to determine whether the exposure state is either exposed or secure, where (1) the process is initially identified as secure, (2) the process is identified as exposed when the process opens a network connection to a URL that is not internal to an enterprise network of the endpoint and that has a poor reputation, (3) the process is identified as exposed when it opens a file identified as exposed, and (4) the process is identified as exposed when another exposed process opens a handle to the process. Access to the files may be restricted when the process is exposed by controlling access through a file system filter that conditionally decrypts files for the process according to its exposure state.
53 Citations
18 Claims
-
1. A computer program product for securing an endpoint against exposure to unsafe or unknown content, the computer program product comprising computer-executable code embodied in a non-transitory computer readable medium that, when executing on the endpoint performs the steps of:
-
encrypting a plurality of files on an endpoint to prevent unauthorized access to the plurality of files; monitoring an exposure state of a process on the endpoint to potentially unsafe content by applying a plurality of behavioral rules to determine whether the exposure state of the process is either exposed or secure, wherein (1) the process is initially identified as secure, (2) the process is identified as exposed when the process opens a network connection to a Uniform Resource Locator that is not internal to an enterprise network of the endpoint and that has a reputation that is poor, (3) the process is identified as exposed when the process opens a first file that is identified as exposed, and (4) the process is identified as exposed when another exposed process opens a handle to the process; and restricting access by the process to the plurality of files when the process is exposed by controlling access to the plurality of files through a file system filter that conditionally decrypts one or more of the plurality of files for the process according to the exposure state of the process. - View Dependent Claims (2, 3, 4)
-
-
5. A method comprising:
-
encrypting a plurality of files on an endpoint to prevent unauthorized access to the plurality of files; monitoring an exposure state of a process on the endpoint to potentially unsafe content by applying a plurality of behavioral rules to determine whether the exposure state of the process is either exposed or secure, wherein the process is initially identified as secure and the process is identified as exposed based on contact with content other than the plurality of files; identifying the process as exposed according to the plurality of behavioral rules, wherein (1) the process is identified as exposed when the process opens a network connection to a Uniform Resource Locator that is not internal to an enterprise network of the endpoint and that has a reputation that is poor, (2) the process is identified as exposed when the process opens a first file that is identified as exposed, and (3) the process is identified as exposed when another exposed process opens a handle to the process; and restricting access by the process to the plurality of files when the process is exposed. - View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. A system comprising:
-
an endpoint; a first memory on the endpoint storing a plurality of files, the plurality of files encrypted to prevent unauthorized access; a process executing on the endpoint; a file system on the endpoint configured to manage access to the plurality of files by the process, the file system including an extension configured to monitor an exposure state of the process and to restrict access to the one of the files based on the exposure state of the process by conditionally decrypting the one of the files based on the exposure state; an integrity monitor configured to evaluate the exposure state by applying a plurality of behavioral rules to determine whether the exposure state of the process is either exposed or secure, wherein the process is initially identified as secure and the process is identified as exposed based on contact with content other than the plurality of files, wherein the integrity monitor is further configured to identify the process as exposed according to the plurality of behavioral rules, wherein (1) the process is identified as exposed when the process opens a network connection to a Uniform Resource Locator that is not internal to an enterprise network of the endpoint and that has a reputation that is poor, (2) the process is identified as exposed when the process opens a first file that is identified as exposed, and (3) the process is identified as exposed when another exposed process opens a handle to the process; and a remediation component configured to remediate the process from the exposed state to the secure state for unrestricted access to the plurality of files.
-
Specification